b"           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n     UNIVERSITIES\xe2\x80\x99 USE OF SOCIAL\n    SECURITY NUMBERS AS STUDENT\n       IDENTIFIERS IN REGION X\n\n    March 2005     A-08-05-15033\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xc2\x81 Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration's programs, operations, and management and in\nour own office.\n\x0c                                           SOCIAL SECURITY\nMEMORANDUM\n\nDate:   March 8, 2005                                                                     Refer To:\n\nTo:     Carl L. Rabun\n        Regional Commissioner\n         Seattle\n\nFrom:   Inspector General\n\nSubject: Universities\xe2\x80\x99 Use of Social Security Numbers as Student Identifiers in Region X\n        (A-08-05-15033)\n\n\n        OBJECTIVE\n        Our objective was to assess universities\xe2\x80\x99 use of Social Security numbers (SSN) as\n        student identifiers and the potential risks associated with such use.\n\n        BACKGROUND\n        Millions of students enroll in educational institutions each year. To assist in this\n        process, many colleges and universities use students\xe2\x80\x99 SSNs as personal identifiers.\n        The American Association of Collegiate Registrars and Admissions Officers found that\n        half of member institutions that responded to a 2002 survey used SSNs as the primary\n        student identifier.1 Although no single Federal law regulates overall use and disclosure\n        of SSNs by colleges and universities, the Privacy Act of 1974, the Family Educational\n        Rights and Privacy Act, and the Social Security Act, contain provisions that govern\n        disclosure and use of SSNs. See Appendix A for more information on the specific\n        provisions of these laws.\n\n        We selected a sample of eight educational institutions in Region X.2 For each selected\n        school, we interviewed university personnel and reviewed school policies and practices\n        for using SSNs. In addition, we identified two schools outside of Region X that no\n        longer used SSNs as student identifiers and determined reasons for this change and\n        best practices that could be adopted by other schools. See Appendices B and C for\n        additional details regarding the scope and methodology of our review and a list of the\n        universities we contacted, respectively.\n\n        1\n         Academic Transcripts and Records: Survey of Current Practices, April 2002 Special Report, the\n        American Association of Collegiate Registrars and Admissions Officers.\n        2\n            Region X consists of the following four states: Washington, Oregon, Idaho, and Alaska.\n\x0cPage 2 \xe2\x80\x93 Carl L. Rabun\n\n\nRESULTS OF REVIEW\n\nBased on our interviews with university personnel and reviews of school policies and\npractices, we are concerned about universities\xe2\x80\x99 use of SSNs. We identified instances in\nwhich universities used SSNs as the primary student identifier or for other purposes,\neven when another identifier would suffice. Based on our previous audit and\ninvestigative findings, we know that unnecessary use of SSNs increases the potential\nfor unscrupulous individuals to illegitimately gain access to these numbers and misuse\nthem, thus creating SSN integrity issues. Some university personnel with whom we\nspoke shared our concern and have taken steps to reduce SSN use.\n\nUNIVERSITIES\xe2\x80\x99 USE OF SSNs\n\nDespite the increasing threat of identity theft, some colleges and universities continue to\nuse SSNs for various purposes. Our visits to four colleges and universities and\ntelephone interviews with four others in Region X disclosed that universities used SSNs\nas the primary student identifier and for admissions applications, class registration,\naccess to computer systems, class rosters, and grade reports.\n\nIn Region X, one university official told us her university requests SSNs during\nadmissions and uses them as the primary student identification number. She also told\nus the State University System requests students\xe2\x80\x99 SSNs so it can track student\nmovement and educational outcomes through the K-12 and higher education systems.\nAn official at another university told us her school uses SSNs because they are unique\nidentifiers and are helpful when comparing student transcripts and name changes. The\nuniversity official also stated her school allows students to use another identification\nnumber, although students must formally request to do so.\n\nAnother university official told us his Information Technology department uses SSNs to\nconfirm students\xe2\x80\x99 identities and ensure the school has correct student records. Also, an\nofficial at another university told us her school primarily uses SSNs to retrieve\ninformation when student identification numbers are not readily available and to\ndifferentiate between student records with the same name.\n\nPOTENTIAL RISKS ASSOCIATED WITH COLLECTING AND USING SSNs\n\nWhile the schools we contacted in Region X did not report any instances of identity theft\nor fraud, universities\xe2\x80\x99 collection and use of SSNs entail certain risks. Each time an\nindividual divulges his or her SSN, the potential for a thief to illegitimately gain access to\nbank accounts, credit cards, driving records, tax and employment histories and other\nprivate information increases. Because many universities still use SSNs as the primary\nstudent identifier, students\xe2\x80\x99 exposure to identity theft and fraud remains today. We\nbelieve the following examples illustrate students\xe2\x80\x99 risk of exposure to such activity\nnationwide and in Region X.\n\x0cPage 3 \xe2\x80\x93 Carl L. Rabun\n\n\n\xe2\x80\xa2        A university professor in Washington was indicted on 33 counts of mail fraud in a\n         scam using students\xe2\x80\x99 SSNs. The professor allegedly accessed the university\xe2\x80\x99s\n         records system and used students\xe2\x80\x99 information to obtain new SSN cards by\n         posing as a parent. The professor then allegedly used the SSNs to obtain credit\n         cards and birth certificates.\n\n\xe2\x80\xa2        California authorities arrested a man suspected of stealing the names and SSNs\n         of 150 college students and using that information to obtain credit cards and\n         charge over $200,000 in the students\xe2\x80\x99 names.\n\n\xe2\x80\xa2        A New York school notified about 1,800 students that their SSNs and other\n         personal information had been posted on a university website. The university\n         shut down the website and apologized to the students in an e-mail.\n\n\xe2\x80\xa2        A student at a Texas university was accused of hacking into the school\xe2\x80\x99s\n         computer network and downloading the names and SSNs of over 55,000\n         students, faculty, and alumni.\n\n\xe2\x80\xa2        A gentleman discovered a computer printout in a trash bin near a Pennsylvania\n         university listing SSNs and other personal data for hundreds of students.\n\nSOME UNIVERSITIES AND STATES HAVE TAKEN STEPS TO LIMIT SSN USE\n\nNumerous incidences of identity theft at colleges and universities and the recognition\nthat SSNs are linked to vast amounts of personal information have led some schools to\nreconsider the practice of using SSNs as primary student identifiers. Several schools\nhave taken steps to reduce their reliance on SSNs or have turned to alternative\nidentifiers. In addition, some States have enacted laws to regulate college and\nuniversity use of SSNs.\n\nUniversity personnel we contacted in Region X acknowledged the potential risks for\nidentity theft and fraud, and some have taken steps to reduce their reliance on SSNs.\nThe Registrar at Idaho State University told us her school does not use SSNs as the\nprimary student identifier. Instead, it uses a six-digit identification number to track\nstudents within the university system. Also, the Assistant Registrar at Seattle University\ntold us her university issues student identification numbers and has not used SSNs as\nthe primary student identifier since 1997. In addition, the Registrar at the University of\nWashington told us his university has never used SSNs as the primary student identifier\nand no longer displays them on student records. Further, the State of Washington\nrequires that institutions of higher education use personal identifiers that are not SSNs.3\n\nIn addition, we identified two schools outside of Region X that no longer used SSNs as\nstudent identifiers and determined reasons for this change and best practices that could\nbe adopted by other schools. In 2003, the Georgia Institute of Technology (Georgia\nTech) stopped using SSNs of students, faculty, and staff on identification cards and as\n3\n    Rev. Code Wash. (ARCW) \xc2\xa7 28B.10.042.\n\x0cPage 4 \xe2\x80\x93 Carl L. Rabun\n\n\nthe primary means of identification in campus databases because of increased identity\ntheft concerns. To replace SSNs, Georgia Tech created the Georgia Tech Identification\nNumber, a unique number the school uses to identify students in most major campus\ndatabases. The Associate Registrar told us the conversion from using SSNs as the\nprimary student identifier took about 2 years of planning but was not difficult. In fact,\nshe stated the actual conversion took only 1 weekend. Georgia Tech has provided\ninformation to other schools to assist them in their SSN conversion efforts. Georgia\nTech collects SSNs for certain services, for example, payroll, immigration and financial\naid.\n\nIn 2003, the University of Florida replaced the SSN as a student identifier and key to\nstudent records with an eight-digit public identification number to reduce the visibility of\nthe SSN during normal university business. The University of Florida changed to an\neight-digit number so students would not confuse it with their SSN. Students also have\na Gatorlink username and password for on-line class registration and other applications.\nAccording to the University Registrar, the conversion from SSNs to an eight-digit\nstudent identifier was challenging as it affected every administrative system. He told us\nit took the university 1-2 years of planning before the conversion. The Registrar also\ntold us that faculty members no longer have access to students\xe2\x80\x99 SSNs. While some\nuniversity offices (admissions, registrar, student financial affairs and university financial\nservices) still need SSNs to perform their duties, faculty and staff do not ask for SSNs,\nand students are informed that University personnel should not ask for their SSN. The\nUniversity Registrar told us the University of Florida offices will not collect or use SSNs\nunless they are needed for State and federally mandated requirements.\n\nOther colleges and universities have taken steps to limit SSN use. Arizona State\nUniversity, the University of Michigan, Penn State University, the University of Maryland,\nthe University of Illinois, and the University of Texas have specific policies regarding\nSSN disclosure and use and have stopped using SSNs as the primary student\nidentification number. In addition, several States, including Arizona, New York,\nMaryland, Rhode Island, and Wisconsin have enacted laws to regulate college and\nuniversity SSN use.\n\x0cPage 5 \xe2\x80\x93 Carl L. Rabun\n\n\nCONCLUSION AND RECOMMENDATIONS\nDespite the potential risks associated with using SSNs as primary student identifiers,\nmany colleges and universities continue this practice. While we recognize that SSA\ncannot prohibit colleges and universities from using SSNs as student identifiers, we\nbelieve SSA can help reduce potential threats to SSN integrity by encouraging schools\nto limit SSN collection and use. We also recognize the challenge of educating such a\nlarge number of educational institutions. However, given the potential threats to SSN\nintegrity, such a challenge should not discourage SSA from taking steps to safeguard\nSSNs. Accordingly, we recommend that SSA:\n\n1. Coordinate with colleges/universities and State/regional educational associations to\n   educate the university community about the potential risks associated with using\n   SSNs.\n\n2. Encourage colleges and universities to limit their collection and use of SSNs.\n\n3. Promote the best practices of educational institutions that no longer use SSNs as\n   student identifiers.\n\nAGENCY COMMENTS AND OIG RESPONSE\nSSA agreed with our recommendations. We believe SSA\xe2\x80\x99s response and planned\nactions adequately address our recommendations and will help strengthen SSN\nintegrity. SSA also provided technical comments that we considered and incorporated,\nwhere appropriate. SSA\xe2\x80\x99s comments are included in Appendix D.\n\n\n\n\n                                                S\n                                                Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                      Appendices\nAPPENDIX A \xe2\x80\x93 Federal Laws that Govern Disclosure and Use of the Social Security\n             Number\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Educational Institutions Contacted\n\nAPPENDIX D \xe2\x80\x93 Agency Comments\n\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                                                    Appendix A\nFederal Laws that Govern Disclosure and Use of the\nSocial Security Number\nThe following Federal laws establish a general framework for disclosing and using the\nSocial Security number (SSN).\n\nThe Privacy Act of 1974 (5 U.S.C. \xc2\xa7 552a, note; Pub. L. No. 93-579, \xc2\xa7\xc2\xa7 7(a) and 7(b))\n\nThe Privacy Act of 1974 provides that it is unlawful for a State government agency to\ndeny any person a right, benefit, or privilege provided by law based on the individual\xe2\x80\x99s\nrefusal to disclose his/her SSN, unless such disclosure was required to verify the\nindividual\xe2\x80\x99s identity under a statute or regulation in effect before January 1, 1975.\nFurther, under Section 7(b), a State agency requesting that an individual disclose\nhis/her SSN must inform the individual whether the disclosure is voluntary or\nmandatory, by what statutory or other authority the SSN is solicited and what uses will\nbe made of the SSN.\n\nThe Family Educational Rights and Privacy Act (20 U.S.C. \xc2\xa7 1232g; 34 C.F.R. Part 99)\n\nThe Family Educational Rights and Privacy Act (FERPA) protects the privacy of student\neducation records. FERPA applies to those schools that receive funds under an\napplicable program of the U.S. Department of Education. Under FERPA, an\neducational institution must have written permission from the parent or eligible student\nto release any personally identifiable information (which includes SSNs) from a\nstudent\xe2\x80\x99s education record.1 FERPA does, however, provide certain exceptions in\nwhich a school is allowed to disclose records without consent. These exceptions\ninclude disclosure without consent to university personnel internally who have a\nlegitimate educational interest in the information, to officials of institutions where the\nstudent is seeking to enroll/transfer, to parties to whom the student is applying for\nfinancial aid, to the parent of a dependent student, to appropriate parties in compliance\nwith a judicial order or lawfully issued subpoena, or to health care providers in the event\nof a health or safety emergency.\n\n\n\n\n1\n  FERPA gives parents certain rights with respect to their children\xe2\x80\x99s education records. These rights\ntransfer to the child when the child reaches the age of 18 or attends an institution of postsecondary\neducation. Children that have been transferred rights are referred to as \xe2\x80\x9celigible students.\xe2\x80\x9d\n\n                                                   A-1\n\x0cThe Social Security Act\n\nThe Social Security Act provides that \xe2\x80\x9cSocial Security account numbers and related\nrecords that are obtained or maintained by authorized persons pursuant to any\nprovision of law, enacted on or after October 1, 1990, shall be confidential, and that no\nauthorized person shall disclose any such Social Security account number or related\nrecord\xe2\x80\x9d\n(42 U.S.C. \xc2\xa7405(c)(2)(C)(viii)). The Social Security Act also provides that \xe2\x80\x9c[w]hoever\ndiscloses, uses, or compels the disclosure of the Social Security number of any person\nin violation of the laws of the United States; shall be guilty of a felony . . .\xe2\x80\x9d (42 U.S.C.\n\xc2\xa7408(a)(8)).\n\n\n\n\n                                         A-2\n\x0c                                                                         Appendix B\n\nScope and Methodology\nTo accomplish our objective, we\n\n\xe2\x80\xa2   interviewed selected university personnel responsible for student\n    admissions/registrations;\n\n\xe2\x80\xa2   reviewed Internet websites of eight colleges and universities that we either visited or\n    interviewed by telephone;\n\n\xe2\x80\xa2   reviewed applicable laws and regulations; and\n\n\xe2\x80\xa2   reviewed selected studies, articles and reports regarding universities\xe2\x80\x99 use of Social\n    Security numbers as student identifiers.\n\nWe visited four educational institutions and interviewed personnel at four others to learn\nmore about their policies and practices for using Social Security numbers as student\nidentifiers. In addition, we identified two schools that no longer used Social Security\nnumbers as student identifiers and determined reasons for this change and best\npractices that could be adopted by other schools. Our review of internal controls was\nlimited to gaining an understanding of universities\xe2\x80\x99 policies over the collection, protection\nand use/disclosure of SSNs. The Social Security Administration entity reviewed was the\nOffice of the Deputy Commissioner for Operations. We conducted our audit from June\nthrough October 2004 in accordance with generally accepted government auditing\nstandards.\n\x0c                                                                             Appendix C\n\nEducational Institutions Contacted\nWe interviewed personnel at eight educational institutions in Region X. The following\ntable shows the names and locations of these schools as well as their total student\nenrollments.\n\n\n\n                          School                           Location          Student Enrollment\n\n    1     University of Washington                 Seattle, Washington             48,000\n\n    2     Portland State University                Portland, Oregon                22,409\n\n    3     Idaho State University                   Pocatello, Idaho                13,666\n\n    4     University of Alaska \xe2\x80\x93 Anchorage         Anchorage, Alaska               13,664\n\n    5     Seattle University                       Seattle, Washington             3,765\n\n    6     Lewis-Clark State College                Lewiston, Idaho                 3,471\n\n    7     Pacific Northwest College of Art         Portland, Oregon                2,800\n\n    8     Alaska Pacific University                Anchorage, Alaska                673\n\nSource: We determined student enrollment by reviewing university websites.\n\x0c                                                                        Appendix D\nAgency Comments\nThank you for the opportunity to comment on the draft OIG audit of Universities\xe2\x80\x99 Use of\nSocial Security Numbers (SSNs) as Student Identifiers in Region X. We have a few\ngeneral comments about the draft, as well as responses to the OIG recommendations.\n\nRecommendations\n\nCoordinate with colleges/universities and State/regional educational associations to\neducate the university community about the potential risks associated with using SSNs\nas student identifiers.\nWe agree with this recommendation. As we continue our regular and ongoing public\naffairs outreach, we will stress to the institutions and educational associations in the\nRegion the potential risks associated with using SSNs as student identifiers.\nEncourage colleges and universities to limit their collection and use of SSNs.\nWe agree with this recommendation. As we continue our regular and ongoing public\naffairs outreach, we will discourage the collection and use of the SSN by colleges and\nuniversities.\nPromote the best practices of educational institutions that no longer use SSNs as\nstudent identifiers.\nWe agree with this recommendation. As we continue our regular and ongoing public\naffairs outreach, we will cite the examples given in this audit to the institutions and\nassociations contacted. However, it would be helpful if OIG can provide more detail on\nthe experiences of the universities noted on page 5 of the audit, including any available\ncontact information. Any Seattle Region university wishing to follow the lead of one of\nthe institutions cited as moving away from a reliance on SSNs will likely want to discuss\ndetails with that university.\n\n\nIf your staff have any questions, they may contact Tim Beard, RSI Programs and\nSystems Team, at 206 615-2125, or by email at Tim.Beard@ssa.gov.\n\n\n                                             Carl L. Rabun\n\x0c                                                                       Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kimberly A. Byrd, Director, (205) 801-1605\n\n   Jeff Pounds, Audit Manager, (205) 801-1606\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Neha Smith, Auditor-in-Charge\n\n   Kathy Youngblood, Senior Auditor\n\n   Susan Phillips, Auditor\n\n   Kimberly Beauchamp, Writer-Editor\n\n\nFor additional copies of this report, please visit our web site at www.ssa.gov/oig or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Specialist at (410) 965-3218.\nRefer to Common Identification Number A-08-05-15033.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Executive Operations (OEO). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                  Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                               Office of Executive Operations\nOEO supports OIG by providing information resource management and systems security. OEO\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, OEO is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c"